MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
SHA3-384 hash: 02a8cdf6eca98e79ee020acba8caf13ab15c91336458ae0858f46efeed5373b7eb51b38897be76d6a5b9d6a500541dd9
SHA1 hash: 5cc7c867d8b5238fa7ad4718c5ba5d105e72cd22
MD5 hash: 69cb30fd3d94cfcc7c89a1f41a47d8dd
humanhash: golf-early-stairway-table
File name:J3m1a_Payment_Copy.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:2'283 bytes
First seen:2021-11-18 19:17:17 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:JVkNGJYuIoviVLF5FFOY9NFMffNAVPvyJCCKaV7A9F0ZTFkFo9bFQZpFOyoQeFiT:bXgHpUf+VPaEqnIoTS
Threatray 3'296 similar samples on MalwareBazaar
TLSH T1F8417B38FD1BBB824821F57661E78CD5CEEC1017DB843C3C21120C7849918BD6AAC0BB
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ISB.Downloadergen81.27450.16990.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6196a6ef43e8f62b66992c5d/reports/debeae74-d442-43a5-8a78-55a61be64b77/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Nanocore Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892221
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: NanoCore
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524692 Sample: J3m1a_Payment_Copy.vbs Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 13 other signatures 2->80 10 wscript.exe 2 2->10         started        14 jsc.exe 2->14         started        16 jsc.exe 2->16         started        process3 file4 56 C:\Users\Public\Downloads\HBar.ps1, ASCII 10->56 dropped 90 VBScript performs obfuscated calls to suspicious functions 10->90 92 Wscript starts Powershell (via cmd or directly) 10->92 94 Obfuscated command line found 10->94 18 powershell.exe 18 10->18         started        21 conhost.exe 14->21         started        23 conhost.exe 16->23         started        signatures5 process6 signatures7 82 Bypasses PowerShell execution policy 18->82 25 powershell.exe 14 18 18->25         started        29 conhost.exe 18->29         started        process8 dnsIp9 58 transfer.sh 144.76.136.153, 443, 49743, 49746 HETZNER-ASDE Germany 25->58 84 Creates an undocumented autostart registry key 25->84 86 Writes to foreign memory regions 25->86 88 Injects a PE file into a foreign processes 25->88 31 jsc.exe 25->31         started        36 jsc.exe 25->36         started        38 jsc.exe 25->38         started        40 3 other processes 25->40 signatures10 process11 dnsIp12 60 jamcav.duckdns.org 185.140.53.3, 49778, 49790, 49791 DAVID_CRAIGGG Sweden 31->60 62 192.168.2.1 unknown unknown 31->62 50 C:\Users\user\AppData\Roaming\...\run.dat, data 31->50 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->66 68 Uses netsh to modify the Windows network and firewall settings 36->68 70 Modifies the windows firewall 36->70 64 legend4000.duckdns.org 52.170.223.88, 4000, 49827 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->64 52 C:\ProgramData\XXX\Microsoft.Exe, PE32 38->52 dropped 72 Creates an autostart registry key pointing to binary in C:\Windows 38->72 42 netsh.exe 38->42         started        54 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 40->54 dropped 44 GoogleCrashHandler.exe 40->44         started        file13 signatures14 process15 process16 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 19:18:08 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ns22spxme4tpmuoyuynj5bs5i2utgjezfwnciz7nw24dwzdytgcq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
njrat
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
njrat
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
njrat
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
njrat
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
njrat
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
njrat
816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
njrat
8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
njrat
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
njrat
c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36
njrat
+ 3'286 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:njrat botnet:hacked evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211118-xzyqhaacf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
NanoCore
njRAT/Bladabindi
Malware Config
C2 Extraction:
jamcav.duckdns.org:6746
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6cb5a93eec27/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207367/

Comments